Posted
by
kdawsonon Tuesday August 19, 2008 @03:22PM
from the common-sense-descends dept.

mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days. "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."

Actually, if you had access to PACER, you could read the version of the presentation the students gave to the MBTA, including the secret key and a few other details that the MIT students were intending to leave out of the DEFCON presentation.

IOW, the information is already leaked, and it was the MBTA that leaked it.

I use the past tense above because I don't have access to PACER and I very much hope they got around to censoring that bit of info from the MBTA's submissions.

Both the magnetic stripe card and the chip card used for electronic payment of public transport fares in Boston are flawed and allow several types of attacks which result in free rides. The hack of the chip card is an implementation of an older, less exploitative hack of the Mifare classic chip which is used in many public transport systems and other prepaid applications all over the world.

Umm, actually, NPR is heard in more places in the US and on Earth than Fox and CNN. It can also be streamed easily. NPR is also sent through transulator sites to remote parts of the US that extend the reach where no one else goes, like rural Nevada, California, and so on.

AFR and AFN also carry a lot of NPR, and news feeds also extend to the CBC, BBC, RCI, and other sites/broadcasters as well. The news is out. As it should be.

Funny this came up. EXACTLY the same debacle has unfolded here in the Netherlands with the cardscheme for the nationwide metro/train/tram system intended to replace the paper ticket system stillin use today. (company NS - www.ns.nl).

Suffering from the universal upper management tendeny toward self-harm through compulsiveobsession with the bottom-line, they ignored whitepapers signed by the senior technical staffbegging them to go with 3DES and AES. A couple of weeks after the (limited) trial roll out thecard was cracked and an infinitely loadable version created and demoed by white/grey hats.

This is somewhat ironic as the Netherlands is one of the world largest suppliers of smart cardtechnology, and in Europe this is (was?) considered a "specialty" of theirs...

It also doesn't help that the company NS (Nederlandse Spoorweg or "Dutch Platform") ismade of epic fail, but that's a rather long & distinctly boring story.

You were reading about the CharlieTicket, a paper card with a magnetic stripe. The data on them was found to be unencrypted and "protected" by a 6-bit checksum.

The CharlieCard, on the other hand, is a MIFARE Classic card [wikipedia.org]. It uses a shared secret key which the card and reader use to authenticate each other. This key was discovered to be 48 bits long.

Fully correcting the problem is, as you point out, most likely difficult with the systems already in place. On the other hand a lot of corrective measures can be implemented to improve the current systems as well. Many ideas and suggestions were given [slashdot.org] to the MBTA administrators by the group of MIT students.

Simple things to improve physical security require only minimal investment (things like making sure employees lock the doors as they should). That was an important point of their presentation: It's not all about hacking the card system or equipment.